What versions of OS X come default with the affected versions of OpenSSL?

All Internet traffic right now is clogged with the same generic information in regards to the Heartbleed bug, without any attention paid to Macintosh in the environment. I am looking for information on Mac OS X client as well as Mac OS X server. Right now it's impractical for me to check all the Macs in the environment for their specific version of OpenSSL, but I already have the Mac OS X version information for the affected machines.

This is more a concern for web servers than clients used to connect to them. Your information can be compromised even if your machine doesn't have the Heartbleed version of OpenSSL.
–
MarkApr 8 '14 at 18:28

1

@Mark true, but what happens when someone wants to run an app that turns their machine into a webserver, and uses the built in version of OpenSSL? Mac apps maybe not so much, but that's why I asked about OS X server as well. Mobiles are likely to be more effected though b/c a lot of mobile apps try to implement that functionality.
–
BigHomieApr 8 '14 at 18:29

However, the whole question largely misses the point that it isn't client machines that are in danger, but servers. If you are accessing a server that has been compromised, then it doesn't matter whether you run MacOS X or Windows 95, you are accessing a server that might be leaking any information the server has about you. It's only of interest if you are using your own Mac as a server.
–
gnasher729Apr 9 '14 at 17:50

2

Not true. The exploit can be used by malicious servers against clients which use OpenSSL to make the connection.
–
Michael HamptonApr 10 '14 at 2:55

3

@gnasher729 There is no reason you can't ask a different question about the point you feel is missing. This Q&A is narrow and focused on what versions of OS X might have their memory contents exposed to the network by a programming bug. It's not meant to be a general risk assessment for any Mac user or even about any larger picture.
–
bmike♦Apr 10 '14 at 10:28

3 Answers
3

No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x

Apple deprecated OpenSSL on OS X in December of 2012 if not earlier. No version of OpenSSL that is vulnerable to CVE-2014-0160 (a.k.a the Heartbleed Bug)

Apple provides several alternate application interfaces that provide SSL to Mac developers and has this to say about OpenSSL:

OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.

Specifically, the latest version of OpenSSL shipped by Apple is OpenSSL 0.9.8y 5 Feb 2013 which does not appear to have the bug from newer versions of OpenSSL back ported to the code for Apple's version of the library.

The PDF of this documentation has some clearly written advice for developers and some sections that's useful for professionals or the security minded user as well.

Considering this, the only remaining issue would be additional software that were built against OpenSSL, e.g. several in Homebrew (brew update followed by brew upgrade) or MacPorts (port self update followed by port upgrade openssl) to update to the patched 1.x version of openSSL.

Also, you could use mdfind/mdls to check on files named openssl in case you have other applications that bundle that library as Apple recommends rather than depending on the "safe" version Apple still ships with OS X.

For those who use MacPorts, they've released an updated OpenSSL as well. Running port selfupdate followed by port upgrade openssl will get you the fixed 1.0.1g version.
–
CoreDumpErrorApr 9 '14 at 0:01

1

@CoreDumpError Thanks for that - I did embed your commands in the answer so that people see it clearly right next to the homebrew "recipe".
–
bmike♦Apr 9 '14 at 15:25

It’s also worth noting that Apple’s client software uses Secure Transport, Apple’s own code, not OpenSSL; the same goes for any software using Cocoa or Core Foundation APIs to communicate over the 'Net.
–
alastairApr 10 '14 at 10:44

> A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. >**Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.** via openssl.org, (emphasis added). So as grgarside said...
–
dwightkApr 8 '14 at 17:57

@dwightk The question was about which versions of OS X have one of the effected OpenSSL version. The versions of OpenSSL that are effected are well known, thanks though.
–
BigHomieApr 8 '14 at 18:04

While OS X doesn't ship with the affected releases of OpenSSL, it's still strongly encouraged to do a openssl version in case one may have been installed as part of some third party package.

For example, my computer reported OpenSSL 1.0.1f 6 Jan 2014 because it had been included as a dependency for something I had installed through MacPorts. sudo port upgrade outdated solved this, of course.